Invicti vs SonarQube Server (formerly SonarQube) comparison

Invicti and Sonar are both solutions in the Static Application Security Testing (SAST) category. Invicti is ranked #14 with an average rating of 8.9, while Sonar is ranked #1 with an average rating of 8.2. Invicti holds a 1.5% mindshare in SAST, compared to Sonar’s 28.4% mindshare. Additionally, 96% of Invicti users are willing to recommend the solution, compared to 81% of Sonar users who would recommend it.

Invicti

Read 28 Invicti reviews

2,950 Views
1,573 Comparison Views

96% willing to recommend

SonarQube Server (formerly ...

Read 113 SonarQube Server (formerly SonarQube) reviews

42,185 Views
34,676 Comparison Views

81% willing to recommend

Invicti

SonarQube Server (formerly ...

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Oct 30, 2024

Invicti and SonarQube Server are both prominent in application security testing. While Invicti is noted for its straightforward support and competitive pricing, SonarQube Server is preferred for its feature set and extensive integration, providing a significant edge in value proposition.

Features: Invicti is recognized for automated scanning, seamless CI/CD pipeline integration, and real-time vulnerability insights. SonarQube Server excels with robust static code analysis, multi-language support, and comprehensive reporting features.

Room for Improvement: Invicti could benefit from richer static analysis capabilities, adding more language support, and enhancing its documentation. SonarQube Server might improve its cloud deployment options, simplify initial configuration, and expand its real-time insights.

Ease of Deployment and Customer Service: Invicti offers cloud-based deployment, ideal for rapid implementation, supported by a responsive service team. SonarQube Server's on-premises deployment requires more setup but offers detailed documentation and a supportive community for deeper customization.

Pricing and ROI: Invicti provides a lower entry cost, yielding faster ROI through efficient scanning processes. SonarQube Server requires a higher upfront investment but promises substantial long-term ROI by improving code quality continuously.

To learn more, read our detailed Invicti vs. SonarQube Server (formerly SonarQube) Report (Updated: January 2025).

Buyer's Guide

Invicti vs. SonarQube Server (formerly SonarQube)

January 2025

Download the complete report

Helped 831,265 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Invicti

Ranking in Static Application Security Testing (SAST)

14th

Average Rating

8.2

Reviews Sentiment

7.1

Number of Reviews

Ranking in other categories

API Security (5th), Dynamic Application Security Testing (DAST) (3rd)

SonarQube Server (formerly ...

Ranking in Static Application Security Testing (SAST)

1st

Average Rating

8.0

Reviews Sentiment

7.5

Number of Reviews

113

Ranking in other categories

Application Security Tools (1st), Software Development Analytics (1st)

Mindshare comparison

As of January 2025, in the Static Application Security Testing (SAST) category, the mindshare of Invicti is 1.5%, up from 1.2% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 28.4%, down from 28.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

JanetMuhia

Cyber Security Engineer at Spartec

Streamlined our security efforts by allowing us to integrate with tools like Jira

From my experience, Invicti is an exceptionally stable solution for web application security. Here's what stands out: * Consistent Performance: Over the three years we’ve used it, the solution has demonstrated reliable and consistent performance, even during large-scale scanning operations. * Minimal Downtime: I have not encountered significant downtime or disruptions while using Invicti, which is critical for security tools that organizations rely on continuously. * Robust Architecture: Its ability to handle complex scanning tasks without crashes or lag reflects its well-engineered platform. * Regular Updates: Invicti frequently releases updates and patches, which enhance functionality and address any stability concerns proactively. Rating : I would confidently rate Invicti’s stability at 9.5 out of 10. It ensures uninterrupted operations and supports high-performance demands, which are essential for enterprise environments.

Read full review

Wang Dayong

Senior Software Engineering Manager at Hill

Easy to integrate and has a plug-in that supports both C and C++ languages

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"The dashboard is really cool, and the features are really good. It tells you about the software version you're using in your web application. It gives you the entire technology stack, and that really helps. Both web and desktop apps are good in terms of application scanning. It has a lot of security checks that are easily customizable as per your requirements. It also has good customer support."

"It correctly parses DOM and JS and has really good support for URL Rewrite rules, which is important for today's websites."

"This tool is really fast and the information that they provide on vulnerabilities is pretty good."

"Invicti's best feature is the ability to identify vulnerabilities and manually verify them."

"High level of accuracy and quick scanning."

"The platform is stable."

"The scanner is light on the network and does not impact the network when scans are running."

"When we try to manually exploit the vulnerabilities, it often takes time to realize what's going on and what needs to be done."

More Invicti pros

"The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability."

"We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."

"The SonarQube dashboard looks great."

"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."

"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."

"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."

"The solution has a plug-in that supports both C and C++ languages."

"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."

More SonarQube Server (formerly SonarQube) pros

Cons

"The license could be better. It would help if they could allow us to scan multiple URLs on the same license. It's a major hindrance that we are facing while scanning applications, and we have to be sure that the URLs are the same and not different so that we do not end up consuming another license for it. Netsparker is one of the costliest products in the market. The licensing is tied to the URL, and it's restricted. If you have a URL that you scanned once, like a website, you cannot retry that same license. If you are scanning the same website but in a different domain or different URL, you might end up paying for a second license. It would also be better if they provided proper support for multi-factor authentications. In the next release, I would like them to include good multi-factor authentication support."

"The proxy review, the use report views, the current use tool and the subset requests need some improvement. It was hard to understand how to use them."

"Maybe the ability to make a good reporting format is needed."

"It would be better for listing and attacking Java-based web applications to exploit vulnerabilities."

"Currently, there is nothing I would like to improve."

"Netsparker doesn't provide the source code of the static application security testing."

"They don't really provide the proof of concept up to the level that we need in our organization. We are a consultancy firm, and we provide consultancy for the implementation and deployment solutions to our customers. When you run the scans and the scan is completed, it only shows the proof of exploit, which really doesn't work because the tool is running the scan and exploiting on the read-only form. You don't really know whether it is actually giving the proof of exploit. We cannot prove it manually to a customer that the exploit is genuine. It is really hard to perform it manually and prove it to the concerned development, remediation, and security teams. It is currently missing the static application security part of the application security, especially web application security. It would be really cool if they can integrate a SAS tool with their dynamic one."

"I think that it freezes without any specific reason at times. This needs to be looked into."

More Invicti cons

"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."

"SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase."

"If you don't have any experience with the configuration or how to configure the files, it can be complicated."

"Currently requires multiple tools, lacking one overall tool."

"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."

"The tool needs to be more compatible with C/C++ language"

"In terms of analysis and findings, other tools provide more in-depth insights and detailed steps to mitigate or handle issues."

"It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."

More SonarQube Server (formerly SonarQube) cons

Pricing and Cost Advice

"Invicti is best suited for large enterprises. I don't think small and medium-sized businesses can afford it. Maintenance costs aren't that great."

"It is competitive in the security market."

"OWASP Zap is free and it has live updates, so that's a big plus."

"I think that price it too high, like other Security applications such as Acunetix, WebInspect, and so on."

"The solution is very expensive. It comes with a yearly subscription. We were paying 6000 dollars yearly for unlimited scans. We have three licenses; basic, business, and ultimate. We need ultimate because it has unlimited scan numbers."

"The price should be 20% lower"

"We are using an NFR license and I do not know the exact price of the NFR license. I think 20 FQDN for three years would cost around 35,000 US Dollars."

"Netsparker is one of the costliest products in the market. It would help if they could allow us to scan multiple URLs on the same license."

More Invicti pricing and cost advice

"This product is open source and very convenient."

"We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment."

"The solution is cheaper than other products."

"Some of the plugins that were previously free are not free now."

"I use the full trial version of SonarQube."

"On the pricing side, it's 3,000 Euros for 1 million lines of code."

"Get the paid version which allows the customized dashboard and provides technical support."

"It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."

More SonarQube Server (formerly SonarQube) pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

831,265 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Educational Organization

56%

Financial Services Firm

Computer Software Company

Manufacturing Company

Financial Services Firm

17%

Computer Software Company

15%

Manufacturing Company

13%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

What is your experience regarding pricing and costs for Netsparker Web Application Security Scanner?

As a technical user, I do not handle pricing or licensing, but I am aware that Invicti offers flexible licensing models based on organizational needs.

See all answers

What do you like most about Invicti?

The most valuable feature of Invicti is getting baseline scanning and incremental scan.

See all answers

What needs improvement with Invicti?

Currently, there is nothing I would like to improve.

See all answers

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...

See all answers

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

See all answers

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...

See all answers

Comparisons

Acunetix vs Invicti

Compared 16% of the time

OWASP Zap vs Invicti

Compared 16% of the time

Qualys Web Application Scanning vs Invicti

Compared 7% of the time

PortSwigger Burp Suite Professional vs Invicti

Compared 6% of the time

HCL AppScan vs Invicti

Compared 5% of the time

More Invicti Competitors

Checkmarx One vs SonarQube Server (formerly SonarQube)

Compared 15% of the time

Coverity vs SonarQube Server (formerly SonarQube)

Compared 12% of the time

SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)

Compared 12% of the time

GitHub Advanced Security vs SonarQube Server (formerly SonarQube)

Compared 10% of the time

Veracode vs SonarQube Server (formerly SonarQube)

Compared 9% of the time

More SonarQube Server (formerly SonarQube) Competitors

Product Reports

Buyer's Guide

Invicti

January 2025

Download Invicti product report

Buyer's Guide

SonarQube Server (formerly SonarQube)

December 2024

SonarQube Server (formerly SonarQube) report

Download SonarQube Server (formerly SonarQube) product report

Also Known As

Netsparker

Sonar

Learn More

Invicti

Sonar

Interactive Demo

Demo not available

Invicti

Sonar

Overview

Invicti helps DevSecOps teams automate security tasks and save hundreds of hours each month by identifying web vulnerabilities that matter. Combining dynamic with interactive testing (DAST + IAST) and software composition analysis (SCA), Invicti scans every corner of an app to find what other tools miss with 99.98% accuracy, delivering on the promise of Zero Noise AppSec. Invicti helps discover all web assets — even ones that are lost, forgotten, or created by rogue departments. With an array of out-of-the-box integrations, DevSecOps teams can get ahead of their workloads to hit critical deadlines, improve processes, and communicate more effectively while reducing risk and hitting the ROI goals.

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?

Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
Custom coding rules: Allows for tailored rule sets to match specific coding standards.
Flexible quality gates: Define criteria for code acceptance at various intervals.
CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
Rich interface: User-friendly dashboard with detailed visual insights.

What benefits should users expect from SonarQube Server?

Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
Maintainability: Reduces technical debt, yielding long-term development efficiency.
Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Sample Customers

Samsung, The Walt Disney Company, T-Systems, ING Bank

Information Not Available

Buyer's Guide

Invicti vs. SonarQube Server (formerly SonarQube)

January 2025

Free Report: Invicti vs. SonarQube Server (formerly SonarQube)

Find out what your peers are saying about Invicti vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: January 2025.

DOWNLOAD NOW

831,265 professionals have used our research since 2012.

See our Invicti vs. SonarQube Server (formerly SonarQube) report.

See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.